Check remote certificate - MySQL

I've found Save Remote SSL Certificate via Linux Command Line but in the case of MySQL (and thus TLS) it doesn't work.

So the question is - how do I check remote certificate for TLS connection to MySQL?

MySQL does not use direct SSL on the port (if it did, it would not be possible to use same TCP/3306 port for both unencrypted and encrypted connections, in much the same manner it is not possible to use port TCP/80 for both HTTP and HTTPS traffic).

It also does not use some simple textual STARTTLS command to switch from unencrypted to SSL encrypted connection (like IMAP, POP3, FTP, SMTP, XMPP etc use). Instead it uses its own binary protocol to negotiate mysql options (SSL being just one of them). You can see how it works in mysql source in sql_real_connect() function.

So to get what you want you would need to write custom program to simulate SSL libmysql connection but outputting extra debug info with SSL certificate in the process. Good starting point might be sql-common/client.c from mysql source (look for CLIENT_SSL). Unfortunately I'm not aware of any such programs already written (not that I haven't looked, just haven't found any).

Alternatively, if you have ssh/NRPE access to the server, you could easily hack an script to use openssl(1) to display certificate directly from PEM file that mysqld is using, that would be much much easier.

As this question appears as top google result for that, I want to add that the only method I found right now is capturing the SSL handshake with

tcpdump -ni any port 3306 -w dump.cap

and then opening it with Wireshark and check the certificate:

content